Disclaimer: I know nothing about these compliance issues.
> Our company must decrypt ~100 files 7x24 in near real time. How can SSSS
> work - or any reasonable alternative - in such a production environment?
Couldn't you simply password protect the key and unlock it when the
server boots, with several admins entering a part of the password?
Alternatively, to use SSSS, you could wire up an SSSS implementation to
a pinentry, so you don't need specific admins but use any X of Y of
them. In this case, I suggest you use a randomly generated "passphrase"
for the GnuPG key. If you want to make your implementation real shiny,
you could store the actual shares encrypted, with each admin having the
possibility of choosing their own decryption password, so they don't
have to learn a seemingly random number.
To clarify, I mean you write the pinentry implementation and use an
already written SSSS implementation. This pinentry is then invoked when
you gpg-preset-passphrase the passphrase during boot of the server.
Just an idea,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>